Despite the fact that four months have passed since the EMV (EuroPay, MasterCard and Visa) liability shift officially took effect in the U.S., only a small percentage of retailers are actually in compliance with the standard, which requires merchants to implement chip-enabled payment card terminals in their stores or risk being liable for fraudulent purchases.
According to a January survey of 200 retail industry professionals at the National Retail Federation’s Annual Convention and Expo conducted by electronic payment and banking solutions provider ACI Worldwide, only 8.5 percent of respondents indicated they were EMV-complaint, while another 14 percent said they were not prepared at all. Additionally, 48 percent of respondents said they were prepared or somewhat prepared, but still have work to do and/or are still evaluating their options for EMV compliance.
In the wake of large-scale data breaches at retail giants, such as Target and Home Depot, there has been a huge outcry from consumers and banks alike for merchants to implement better data security protocols including the overhaul of magstripe payment card readers which were seen as a weak link in the data security chain. As a result, retailers have invested millions of dollars into replacing their old point-of-sale terminals with ones that can support the new chip-enabled payment cards now being issued to consumers.
While the number of EMV-compliant retailers may be seem incredibly low given the potential financial consequences, Michael Grillo, director of product marketing for ACI Worldwide, said he wasn’t all that surprised by the survey’s findings.
“I think the survey confirmed what we were expecting to see based on our experience with our own customer base. We had done a similar survey a year ago at NRF and based on the conversations we had leading up to the Oct. 1 deadline and knowing where some of our customers were in terms of the certification process for EMV, we knew a lot them were not going to be ready by the deadline,” said Grillo. “Many at the end of last year were able to finish out their EMV certifications but a lot of them put off going through that process because it is their busy time of year, so it was all hands on deck to make sure their stores were running as efficiently as possible.”
Grillo said the extraordinarily high number of respondents who indicated they were not prepared for EMV could be attributed to smaller merchants who obviously don’t have the same amount of resources to devote to bringing their businesses into compliance. Grillo confirmed that the overwhelming majority of large retailers that ACI works with are either already in compliance or have plans to become compliant sometime this year.
“I think we are still going to see (retailers) converting to EMV through the end of this year and into early 2017,” added Grillo.
Becoming EMV-compliant is not just a matter of installing chip-enabled POS terminals and turning them on, but rather involves an entire certification process in which merchants must have their payment terminals certified by EMVCo, the body responsible for managing and maintaining the EMV specifications for payment systems, as well as by the card brands the retailer chooses to accept. That is one of the reasons why many stores that already have EMV terminals in place are still using swipe-and-sign to process payments rather than chip-and-signature, which is expected to become the standard moving forward.
“There is a certain amount of time that goes into having that take place. It is not a situation where you just turn the switch, so to speak, and EMV is ready. Once you’ve updated your hardware and software, there is testing that needs to take place so you can get certification from the various associations to say you’re compliant,” explained Grillo. “Part of it is there may be a waiting game or a queue process. Some of it is they may have made an investment in one part but not the other, so I think it is like anything just having the time and resources and getting in line.”
Many card issuers also have some work left to do in terms of getting chip-enabled credit and debit cards into the hands of consumers. Another survey conducted by ACI late last year found that only about 40 percent of consumers had received a chip-enabled credit card. Grillo said many banks have taken a segmented approach to reissuing cards due to the costs involved with providing them to their entire customer base all at once.
“They may have been focused on folks who have higher credit limits, people in riskier areas or they may have had a geographic segmented approach. If they had customers whose accounts were caught up in a data breach somewhere, those may have also taken precedent,” said Grillo.
Aside from EMV compliance, the survey also found that payments security is a huge concern for retailers when it comes to purchases made on mobile apps and by those using mobile wallet applications, such as Apple Pay or Android Pay. In fact, 72 percent of those surveyed ranked payment security as the top feature they wanted their mobile app to deliver and 75 percent prioritized payment security as the most important feature of a mobile wallet offering.
While merchants have obviously had to invest heavily in payments security from an online perspective for some time, Grillo said the migration to EMV has also forced many of them to take a look at employing such measures as transaction monitoring through their online or mobile channels to provide them with insights into potentially fraudulent transactions. According to Erika Dietrich, global director of payments risk management for ACI's ReD Shield, retailers want to ensure they have a cohesive risk strategy across these multiple payment channels.
“That has been one of the biggest points of frustration for some of the merchants we’ve talked with. They now have all of these different channels and all of these different payment options but things are in silos, they’re not talking to each other and therefore we see fraud jump from channel to channel and payment method to payment method and criminals are able to commit fraud very easily through negotiating through those various channels,” said Dietrich.
Dietrich said retailers are also in the midst of figuring out which of these mobile payment options will have real staying power in market and provide them with the least amount of fraud exposure. “The ones they are able to understand and implement easily and put controls around, the merchants are gravitating more towards those than the ones that are more complicated and maybe not as user friendly,” she said.
